Chemical & Processing
Oil & Gas
Pharma Biotech
Infrastructure & Design

Risk Management in Refineries
Ram K Goyal, Advisor - Risk Management and Leader - Central Reliability, Engineering, Bahrain Petroleum Company and Vinod Menon, Standards Engineer, Bahrain Petroleum Company, Kingdom of Bahrain Refineries in general, deal with large volumes of flammable and toxic materials wherein the risk of explosions or exposure of people to toxic gases and chemicals is always present. However, the risks associated with modern day refinery cannot be eliminated entirely, but we can learn to accurately assess the risk and then try to mitigate it. Effective risk management in refineries plays a pivotal role to abate the risks involved.

In an industry that deals with very large volumes of flammable and toxic materials, the risk of fires, explosions or exposure of people to toxic gases and chemicals is always present. However, this is not the only type of risk faced by modern day refineries. A typical refinery’s risk universe might include risks associated with business sustainability, continuity and contingency, politico-social factors, financial risk management, Enterprise Risk Management (ERM), security vulnerability, human resources, external factors such a competitors, environmental risks, reputation, capital stewardship, acute risks other than FLEXA (fire, lightning, explosion, and act of God), and health or chronic risks.
In addition to the above, as populations increase with the resulting growth in demand for land for residential and commercial purposes, the refineries face an unrelenting pressure seeking permission to let more and more people live in close proximity of their processing and storage facilities. Consequences of any loss of containment incident have therefore increased multi-fold, with significant impacts out side the refinery fence line. In such an environment, risk management has become a key responsibility for executive and board of directors.
We cannot eliminate risk entirely, hence we must learn to accurately assess it and then mitigate the unacceptable part of it – leaving behind a small and residual risk, which we then have to learn to live with. This small acceptable risk is sometimes referred to as ALARP (as low as reasonably practicable).
Risk management in refineries finds excellent support and governance frameworks in the form of government legislation, industry standards and published best practices. In the USA, federal regulation from the Occupational Safety and Health Administration (OSHA) 119.1910 on Process Safety Management, the Risk Management Programme (RMP) Rule 40CFR Part 68, the UK Control of Major Accident Hazards (COMAH) regulation, the European ISO 31000, and the Indian OISD (Oil Industry Safety Directorate) standards provide a wealth of knowledge for the risk managers of refineries.

Refinery Risk Universe
Historically the term "Risk Management" was being used in refineries to refer to management of risks that were considered insurable under the FLEXA scheme (i.e. loss events arising from fires, lightning strikes, explosions, and acts of God). When Process Safety Management (PSM) became popular under the OSHA Regulation, primarily in the USA, risk management began to include concepts such as Process Hazards Analysis, Probabilistic Risk Assessment, Quantitative Risk Analysis, and Land Use Planning. Currently, the risk "universe" of a refinery comprises a multitude of technical, commercial, process, and financial areas. All these typicl refinary risk are explained in Figure 1. Some current topics of interest in risk management are discussed in herein.

1. Risk Acceptance Criteria: The industry makes every effort to manage its risk and drive it to a level as low as reasonably practicable. Most Environment, Health and Safety (EHS) related decisions are based on the concept that there exists a low-level of residual risk, which can be deemed as “acceptably low.” For this purpose many companies have established their own risk acceptance or risk tolerance criteria. Some governments have also published guidelines for selecting levels for risk acceptance.
The Bahrain Petroleum Company (BAPCO) had developed in-house criteria at the beginning of our risk management programme, which were subsequently aligned with other more recent publications. The main premise of our overall enterprise-wide risk acceptance criteria is that the cumulative frequency of fatality resulting from Bapco’s business is maintained at a rate lower than 1 x 10-3 per year. For acute risks related to the three business units (Refinery, Oil & Gas and Marketing), this acceptance is therefore dropped a further order of magnitude; i.e., the cumulative risk of a major event such as fatality, multiple irreversible injuries (public), major fire or explosion or major spill at sea that results in widespread adverse publicity nationally and internationally, is maintained at a rate lower than 1 x 10-4 per year in each of the three business units.

Therefore, for a given project or a process unit, the risk acceptance criteria as shown in Table 1 (on the next page) shall be applied: The above criteria is based on the ALARP principle which calls for all known risk exposures to be reduced to a level ‘As Low As is Reasonably Practicable (ALARP).’ Although the US OHSA regulations do not specifically address ALARP in quantitative terms, in practice they have been found to be largely compatible with this concept.

2. Allowable Land Use within Annual Individual Risk Bands: For decades now, the oil companies and the communities they operate in the vicinity have had a kind of love-hate relationship with many ups and downs on the way. On the one hand, the communities love the economic benefit and regional advancement that the oil companies bring in their wake while on the other, they decry the real as well as imaginary environmental, health or safety related threats posed by the oil, gas and petrochemical plants operating in their midst.

This acerbic publicity sometimes portrays the oil company as an uncaring and greedy corporation interested only in making a fast buck at the expense of the health and well-being of the poor, helpless communities who are too weak to fight the evil company. In reality this is not the case. In Bapco we have adopted a very rational and workable set of land use planning guidelines that recognize the needs of the company and the public in a harmony of mutual interest and well-being.

The third party land use-planning standard for acceptance that we have adopted with respect to annual individual risk bands is diagrammatically given in Figure 2 (see above). Note that this standard does not permit any third party land use within the iso-risk contour of 1 x 10-4 per year (event rate of individual fatality of 1 x 10-4 per year or higher).

Exceptions in specific cases are resolved in mutual discussions and any perceived high risks are mitigated through engineering and administrative controls.

3. Risk Assessment Matrices: For process safety management, risk assessment matrices are a very convenient means of graphically representing various levels of risk such as major, moderate and low. These matrices are being used extensively in qualitative and semi-quantitative risk analysis studies that are conducted during HAZOPs (Hazard and Operability Studies) of process plants and Safety Integrity Level (SIL) reviews of instrumented safety systems and Emergency Shut Down (ESD) systems. The selection of an appropriate risk acceptance criterion is a key input to the Hazard and Operability Studies (HAZOP) and SIL recommendations and design decisions.

Use of risk assessment matrices did not remain limited to process hazard analysis alone; it expanded to all other areas that were seeking risk-based decision making as a means to increased cost-efficiency areas such as risk-based maintenance work selection, RBI (risk-based inspection) and risk-based prioritization of engineering projects. This wider used resulted in the development of many different risk matrices in a single company. Further diversity was added when additional matrices were developed and adopted for acquiring certifications such as ISO 1400 (environment) ISO 9000 (quality) and OHSAS 18000.

This inevitably followed calls by management for the development and adoption of a single, unified risk assessment matrix for the company as a whole. The authors are of the opinion that there exists a great deal of misunderstanding related to risk assessment matrices and risk acceptance criteria amongst the users, including well-known consultants in the field.

In the area of risk matrices, we need to maintain the “horses for courses” approach; albeit the various matrices need to be consistent and in compliance with the company’s overall risk acceptance criteria and its risk appetite. One example set of Severity Ratings that can be used to build a consistent risk matrix is given in Table 2 (on the previous page). Likewise, Table 3 (see above) shows the industry best practice example in Incident Likelihood Rankings.

4. Personnel Safety versus Process Safety: The investigation of the 2005 BP Texas City Refinery Incident had highlighted to the industry that we should not be fooled into believing that our performance on the personnel safety front necessarily reflects our performance on the process safety front.

We could be amongst world leaders in terms of our achieved low personnel injury rates but we could, at the same time, be quite deficient in our process safety efforts. One way to ensure that adequate attention is paid by senior management on process safety matters is to adopt formal systems such as the OSHA PSM and back it with assessing your risks and quantitative terms whenever feasible. Establishing a company’s risk register under a formal “Safety Case” goes a long way in ensuring that senior management are paying close attention to risks that matter.

In addition to other contents (as listed in the formal documents of the HSE UK and the Seveso Directive), a Safety Case or Safety Report typically contains detailed modeling of all significant risk scenarios related to toxic exposure, fires, explosions and environmental releases. In Bapco's case a typical Safety Case / Report addresses the following scenarios including many others:

• Chlorine leak from 1-ton cylinder
• Major fire in the sulfur pastilles storage pile (SO2 exposure)
• Major leak from an acid gas line (H2S exposure)
• Leak of oil from a sea line
• Leak of hydrocarbon product, oil or bunker from a ship
• Large release of hydrocarbon material to the sea via the cooling water system
• Large atmospheric storage tank rupture and fire
• Rupture of a tanker on road and fire
• Major fire in a Service Station
• Large fire / explosion at a high pressure gas distribution network vale station
• UVCE (unconfined vapor cloud explosion) of an LPG cloud
• BLEVE (boiling liquid expanding vapor explosion) of a an LPG storage sphere
• Large release from a cross-country pipeline in densely populated area
• Leak from light-ends vessel followed by UVCE
• A congested volume explosion event in the FCCU area
• Runaway reaction in Hydrocracker reactor followed by breach of the HP loop
• Major explosion or fire at the Marketing Terminal

5. API RP 752 and 753: Location of Permanent and Temporary Buildings: The BP Texas City refinery incident of March 2005 was an eye-opener for the petroleum industry in two major areas: firstly it highlighted that senior management did not understand the difference between general safety and process safety, and secondly, it showed that we had not given enough thought to the siting of temporary and permanent buildings for use by employees and contractors in process plants. A majority of the 15 fatalities that resulted from BP Texas City incident were people who had nothing to do with the unit from which the large hydrocarbon release occurred. While the jury is still out in deciding whether we have been developing a better understanding of general safety versus process safety or not, the industry has acted very swiftly on the issue of building siting. The American Petroleum Institute has issued a new recommended practice API RP753 (dealing with temporary trailers) and has updated the API RP752 titled 'Management of Hazards Associated with the Location of Process Plant Buildings.'

The temporary trailers in BP Texas City were as close as 121 feet from the Blowdown Drum (source of the release). The API RP753 is forcing some of the trailers to be located over 1000 feet from the unit under turnaround and inspection (the minimum distance permitted is 330 feet, applicable in the case of a unit with computed "congested volume" of 7500 cubic feet). Have we got it right or are we over-reacting?

Temporary and portable buildings are typically deployed at the time of maintenance and turnaround activity with the intent of bringing the required personnel and services within proximity of the work site. Over the years, companies develop their own preferred locations for locating the trailers. Are these ‘preferred’ locations in violation of the API RP753 compliance requirements? Will compliance defeat the purpose?

Bapco has implemented best practices that comply with the underlying requirements of the API recommended practices and addressed the practical issues of compliance to these. Bapco has a robust methodology for assessing the hazards and examining how best we can manage the risks to existing building facilities. A three-tier approach is followed: develop detailed overpressure risk contours for all stipulated congested volumes, where explosion can occur and use the results as a first-step screening; identify all buildings that are in violation and risk rank these on the basis of the company's risk assessment matrix; and then adopt a formal waiver procedure for those buildings where relocation is not a viable option.

6. Synergy between Risk and Reliability Management: One of the best practices that Bapco has adopted (and hold competitive advantage over others), is the integration of the risk management and reliability management functions. The field can build up synergy that helps resolves many issues without duplicating the effort. Low reliability would result in higher down time due to unplanned stoppages of our process (thereby loss of profit) and higher repair costs. Too high a reliability achieved through duplication of equipment would result in prohibitively high capital expenditure.

Bapco's quest for improved reliability goes hand-in-hand with our core commitments made in the areas of Health, Safety, and the Environment. In order to improve reliability, we need to pay attention to People, Processes, and Equipment. Bapco has a two-pronged approach in enhancing reliability of assets, one being monitor/assess the performance of the asset and take corrective actions before they break down – proactive approach and other one being reactive approach by carrying out incident investigation and recommending corrective actions to prevent reoccurrence of such incidents and thereby improve the availability of the assets. Bapco has seen enhanced reliability and availability of assets as result of these approaches in terms of improved Mechanical Availability and On-stream Factors. Bapco has a strong reliability culture and the assets of each area are looked after by a multi-discipline team called the Area Reliability Team and it is assisted by a Reliability Specialist to guide them.

This team monitors their area in terms of improving the reliability and availability of assets with help of an Integrated Reliability Tool that generates reliability related results using inputs like Work Order data, Failure History, Incident Details, and Availability Events. This helps the team to identify the bad actors in their area and take corrective action to improve their availability and reliability. But Identification of bad actors always remains a major challenge to the team.

In this respect, one may identify bad actors based on operation experience taking into consideration of maintenance cost. However, this approach has its own limitation. For example, if number of failures is set as sole criteria, then some of the equipment having low failure rate but consume disproportionate time or money for maintenance may not be considered at all. On the other hand, if maintenance cost is considered as sole criteria for selection, then large and expensive equipment, though they are performing well, will dominate the list. In such case small equipment, even though they are failing frequently and consume disproportionate amount of maintenance time and cost, may get excluded.

Alternatively, a mathematical model may be developed for identification of bad actors and ranking them in order of merit. The model would take failure frequency, repair and maintenance expenditure, cost of failure in terms of LPO (Loss of Profit Opportunity). Mathematical model also eliminates individual bias. The team can review the list thus prepared and bad actors can be identified and prioritized by taking into consideration of operational experience also. The model also provides sound basis rather than individual judgment for bad actor identification.

7. Inventory Isolation Block Valves: The emergency inventory isolation block valves (EIBV) requirements for hydrocarbon vessels is another best practice that has been enshrined in the Company engineering standards. The primary intent of this standard is to ensure that liquid hydrocarbon inventory can be isolated (safely by an operator) in case of an emergency such as a release or fire involving the equipment so as not to continue feeding the fire or release. This standard insists on safe distances for the location of isolation valve of equipment. If the valve is located in close proximity of the potential release site (or fire) or in an area of congestion, then it cannot be regarded as a sufficient safeguard. This could lead to a situation where fuel continues to get added to a fire, leading to the likelihood of a small event turning into a major disaster. The main criteria in selecting the location of EIBV depend on the inventory, properties of hydrocarbon in the vessel (operating temperature, and flash point). Table 4 (on the previous page), which is a part of the company’s engineering standard, provides a guideline to our risk managers in establishing the requirement of an EIBV.

Concluding Remarks
• Risk management is as much a science as it is an art. Be sensitive to the requirements of all stakeholders.
• Most risks can be quantified, if you are prepared to put in enough effort. However, beware that not all risks are worth quantifying.
• Test and re-test the assumption you make in risk assessment and subsequent evaluations.
• Risk assessment is a 'live' matter; it does not go away once you have resolved it in one manner. It can come back in another guise. You will have to re-visit many of the risk assessments that you might have completed in the past. • There are some very good consultants available; use them.